Method and system for personal identification

ABSTRACT

The method and system of the invention utilizes a private key of a public-key cryptosystem key pair to encrypt a non-secret password into a digital signature. The password and the digital signature are then encoded and stored on a magnetic stripe or other memory device of the card. To effect a transaction, the digital signature on a received card must be shown to have been generated from the password on the received card. The password preferably includes a digitized photograph of the authorized cardholder which is capable of being displayed at the transaction terminal. This enables the operator of the terminal to verify the identity of the cardholder by visual inspection.

TECHNICAL FIELD

The present invention relates generally to personal identificationschemes and more particularly to a method and system for issuingauthorized personal identification cards and for preventing unauthorizeduse thereof during transaction processing.

BACKGROUND OF THE INVENTION

Password-based protection schemes for credit cards or other personalidentification cards are well-known in the prior art. Such cardstypically include a memory comprising a magnetic tape or other storagemedia affixed to the card. They may also include a data processingcapability in the form of a microprocessor and an associated controlprogram. In operation, a card issuer initially stores in the memory apersonal identification number, i.e., a secret password, as well as avalue representing a maximum dollar amount. To effect a transaction, thecard is placed in a terminal and the user is required to input his orher password. If the terminal verifies a match between the user-inputtedpassword and the password stored on the card, the transaction is allowedto proceed. The value of the transaction is then subtracted from thevalue remaining on the card, and the resulting value represents theavailable user credit.

Techniques have also been described in the prior art for protectingagainst the illegitimate issuance of credit cards such as the typedescribed above. In U.S. Pat. No. 4,453,074 to Weinstein, each such cardhas stored therein a code which is the encryption of a concatenation ofa user's secret password and a common reference text. The encryption isderived in an initialization terminal through the use of a private keyassociated with the public key of a public-key cryptosystem key pair. Inoperation, a cardholder presents his or her card to a transactionterminal. The terminal decrypts the stored code on the card inaccordance with the public key of the public-key cryptosystem pair. Atransaction is effected only if the stored code decrypts into the userpassword, inputted on a keyboard by the cardholder, and the commonreference text.

While the method described in the Weinstein patent provides an adequateprotection scheme for preventing the fraudulent issuance of creditcards, this scheme requires each user to have a secret or "private"password which must be memorized and inputted into the transactionterminal. Weinstein also requires additional circuitry for concatenatingthe user's secret password with the common reference text. This latterrequirement, while purportedly required to insure the integrity of theprotection scheme, increases the complexity and the cost of the system.

It would therefore be desirable to provide an improved method forissuing personal identification cards using a public-key cryptosystem inwhich a "secret" password need not be memorized by the authorized useror concatenated with a common reference text to maintain the systemsecurity.

BRIEF SUMMARY OF THE INVENTION

The present invention describes a method and system for issuingauthorized personal identification cards and for preventing theunauthorized use thereof using a public-key cryptosystem.

According to one feature of the invention, each authorized user of acard is assigned a password having a portion thereof which is generatedfrom a representation of some non-secret or "public" characteristic ofthe user. The password is then processed to produce a digital"signature" which, along with the password, is thereafter stored on thecard. To authorize a transaction at a transaction terminal, the digitalsignature from a received card must first be shown to have beengenerated from the password on the received card. The password is alsoprocessed at the transaction terminal to display a representation of the"public" characteristic encoded thereon. The public characteristic isthen verified by an operator of the transaction terminal before atransaction is authorized.

It is very difficult to create a valid signature for any personal datawithout the proper private key, although it is simple for anyone toverify whether or not the signature for a password on the card isauthentic, even without the private key. Only a card issuer can thusmake a valid card and only a user with matching personal characteristicscan use the card.

In the preferred embodiment, the password includes data representing apictorial representation of a physical characteristic (e.g., the face,fingerprint, voice sample or the like) of the authorized user.Alternatively, or in addition to the pictorial representation data, thepassword may contain other data pertinent to the user, such as theuser's age, address, nationality, security clearance, bank accountbalance, employer, proof of ownership, or the like. The password mayalso include one or more codewords, each of the codewords authorizing aspecific transaction such as permission to receive certain funds on acertain date, permission to see classified documents, permission toenter into a country on a certain date (i.e., a visa), attestation toperform certain acts, or the like. Although not meant to be limiting,the personal identification card may be a credit card, a driver'slicense, a passport, a membership card, an age verification card, a bankcard, a security clearance card, a corporate identification card or anational identification card.

In the preferred embodiment, a method for issuing an authorized personalidentification card comprises the steps of generating the pictorialrepresentation of a physical characteristic of the authorized user,processing the pictorial representation to generate a password, mappingthe password with a predetermined function to generate a mappedpassword, digitally signing the mapped password with a private key of apublic-key cryptosystem pair to generate a signature corresponding tothe mapped password, encoding the password and the signature with apredetermined function to generate an encoded password/signature, andstoring the encoded password/signature on a personal identificationcard.

To enable an authorized user of the personal identification card toeffect a transaction using a transaction terminal, the subject inventiondescribes a method comprising the steps of receiving the personalidentification card at the transaction terminal, decoding the encodedpassword/signature of the received personal identification card togenerate a received password and a received signature, mapping thereceived password with the predetermined function to generate a mappedpassword for the received personal identification card, and digitallyverifying, using the public key of the public-key cryptosystem pair,whether the received signature can be generated from the mapped passwordfor the received personal identification card. If the received signaturecan be generated from the mapped password using the public key, themethod continues by generating an indication that the received signatureis valid. A pictorial representation is then generated from the receivedpassword, and the pictorial representation and the indication are thendisplayed on a display of the transaction terminal to enable an operatorthereof to verify that the user is authorized to effect a transactionusing the personal identification card.

Preferably, the digital signing routine of the method includes the stepsof multiplying the mapped password "Q" by each of the four factors ±1modulo "M" and ±2 modulo "M", where M=P₁ ·P₂. As used herein, "M" refersto the public key of the public-key cryptosystem pair and (P₁,P₂) refersto the private key thereof, where "P₁ " and "P₂ " are secret primenumbers which are preselected such that only one of the four values ±Qmod M and ±2Q mod M is a quadratic residue modulo "M". According to thedigital signing routine, the four values ±Q mod M and ±2Q mod M areevaluated to determine which of these values is a quadratic residuemodulo "M". The square root of the quadratic residue is then computed togenerate the signature. Because the square root computation is extremelydifficult to carry out without knowing the factorization of the secretprime numbers of the private key, unauthorized third parties are notcapable of producing a card "signature" which, when digitally verifiedat the transaction terminal, can be shown to have been generated fromthe mapped password on the received personal identification card.

In accordance with yet another feature of the invention, a system forissuing authorized personal identification cards and for preventingunauthorized use thereof includes a plurality of issuing transactionterminals, each of the issuing transaction terminals being uniquelyassociated with one issuer of personal identification cards. Each issueris assigned or selects its own public-key cryptosystem key pair whichmay or may not be different from the public-key cryptosystem key pair ofevery other issuer in the system. This arrangement, especially suited toa passport control system or the like, enables the operator of atransaction terminal to verify signatures from one or more of theissuers.

According to a further feature of the invention, a unique personalidentification card is provided for effecting transactions via at leastone transaction terminal. The identification card preferably includes abody portion and a memory within the body portion for storing a passwordand a signature derived from the password. The password includes aportion thereof which is generated from a pictorial representation of anon-secret characteristic of the authorized user, such as the user'sface. The signature is derived from the password with the private key ofa public-key cryptosystem pair.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following Descriptiontaken in conjunction with the accompanying Drawings in which:

FIG. 1 is a schematic representation of one type of personalidentification card according to the invention, the card having apicture of a physical characteristic of an authorized user of theidentification card;

FIG. lA is a diagrammatic representation of a portion of a magneticstripe of the personal identification card of FIG. 1 showing a"password" generated in part from the picture on the identificationcard;

FIG. 2 is a general flowchart diagram of the preferred method of thepresent invention for issuing an authorized personal identification cardsuch as shown in FIG. 1;

FIG. 3 is a detailed flowchart diagram of the digital signing routine ofFIG. 2;

FIG. 3A is a flowchart diagram of a routine for selecting the secretprime numbers of the private key (P₁,P₂);

FIG. 4 is a general flowchart diagram of the preferred method of thepresent invention for preventing unauthorized use of the personalidentification card of FIG. 1 which is issued according to the method ofFIG. 2;

FIG. 5 is a detailed flowchart diagram of the digital verifying routineof FIG. 4; and

FIG. 6 is a block diagram of a representative multi-issuer systemaccording to the present invention.

DETAILED DESCRIPTION

With reference now to the drawings wherein like reference numeralsdesignate like or similar parts or steps, FIG. 1 is a schematicrepresentation of a personal identification card 10 for use according tothe present invention for effecting transactions via a transactionterminal. As noted above, the term "personal identification card"according to the present invention is to be read expansively and isdeemed to cover credit cards or other commonly known forms ofidentification such as a passport, a driver's license, a membershipcard, an age identification card, a security clearance card, a corporateidentification card, a national identification card, or the like.

Personal identification card 10 in FIG. 1 is a driver's license. Card 10includes a body portion 12 having a display 14 and a memory 16. Althoughnot meant to be limiting, the memory 16 is preferably a magnetic stripeor similar media, or an electronic memory such as a PROM, affixed to orembedded in the card in a known manner. The personal identification cardmay or may not include an integral microprocessor embedded in the bodyportion. As seen in FIG. 1, the display 14 of the personalidentification card 10 supports a pictorial representation 18 of aphysical characteristic of the authorized user; e.g., the user's face.Of course, the display 14 may also display pictorial representations ofother physical features of the user such as the user's fingerprint orpalm print.

Referring now to FIG. lA, according to the present invention the memory16 of the personal identification card 10 preferably includes a"password" 20 unique to the authorized user and having a portion 20athereof which is generated from a representation of some non-secret or"public" characteristic of the user. As used herein, the term"non-secret" refers to the fact that the representation of theauthorized user, such as the user's face, is readily ascertainable byviewing and comparing the personal identification card and theauthorized user directly. In the preferred embodiment, the section 20aof the password is a digital bitstream representing a digitized versionof the pictorial representation 18 on the personal identification card10.

As also seen in FIG. lA, the password 20 may include a portion 20bhaving data representing one or more personal facts about the authorizeduser such as the user's age, address, nationality, security clearance,employer, bank account balance, eye color, height, weight, mother'smaiden name, or any other such information. This information may or maynot be public. Moreover, the password 20 may further include a portion20c having one or more codewords, each of the codewords authorizing aspecific transaction such as permission to enter a country on a certaindate, permission to receive certain funds on a certain date, permissionto review certain classified documents, or one or more other suchspecific transactions. Of course, the password 20 may include one ormore of the predetermined types of data, 20a, 20b, and/or 20c, shown inFIG. lA.

As also seen in FIG. lA, the memory 16 of the personal identificationcard 10 also includes a signature 22, which, as will be described inmore detail below, is derived from the password 20 using the private keyof a "public-key cryptosystem" key pair. A "public-key cryptosystem" isa well known security scheme which includes two "keys," one key which ispublic (or at least the key-pair owner does not really care if itbecomes public) and one key which is private or non-public. All suchpublic-key cryptosystem pairs include a common feature--the private keycannot be determined from the public key.

Referring now to FIG. 2, a general flowchart diagram is shown of thepreferred method of the present invention for issuing an authorizedpersonal identification card 10 such as shown in FIG. 1. At step 30, thecard issuer collects the necessary personal data from a card applicant.Although not meant to be limiting, this data preferably includes apictorial representation of a physical characteristic of the authorizeduser. For example, the data may include a photograph of the cardapplicant. At step 32, the photograph, other personal data and/or codeauthorizations are processed to generate a password as described abovein FIG. lA.

At step 34, the password is mapped with a predetermined one-way function"F" to generate a mapped password "Q" which may have a lengthsubstantially less than the length of the password. This "mapping" stepis typically required to reduce the length of the digital bitstreamcomprising the password, especially when a digitized photograph of theauthorized user is stored therein. By way of example only, thepredetermined one-way function "F" may be any one or more of severalwell-known i.e., public hashing functions such as one obtainable fromthe DES scheme or the Goldwasser, Micali & Rivest scheme. Alternatively,the function "F" may be an identity function which simply transfers thepassword through step 34 without modification. The identity functionmight be used where the password length is sufficiently smaller than theavailable storage capability of the memory 16.

At step 36, the method continues to "digitally sign" the mapped password"Q" with a private key (P₁,P₂) of a pubic-key cryptosystem pair togenerate a so-called "signature". As will be described in more detailbelow, in the preferred embodiment "P₁ " and "P₂ " are secret primenumbers and the public-key cryptosystem pair includes a public key "M"which is equal to "P₁ ·P₂ ". At step 38, the method encodes the password(as opposed to the mapped password) and the signature with anerror-correcting code to generate an encoded password/signature. Step 38insures that the card 10 will be usable even if some of its data isdestroyed. At step 40, the encoded password/signature is stored on thepersonal identification card in the manner substantially as shown inFIG. lA.

Although not shown in detail in FIG. 2, it should be appreciated thatthe card issuer may digitally sign one or more digital signatures on thecard 10 at one or more different times using different public-keycryptosystem pair keys. The card could then function as a passport witheach signature derived from a different cryptosystem key paircorresponding to a different country (i.e., a visa). It may also bedesirable in the method of FIG. 2 to include an additional encryptionstep wherein the password is encrypted with a predetermined functionprior to the mapping step and/or where the signature itself isencrypted. This enables the card to carry information which is desiredto be maintained highly confidential even if the card were lost orstolen.

Referring now to FIG. 3, a detailed flowchart diagram is shown of thepreferred digital signing routine of the present invention. As describedabove, "M" is the public key of the public-key cryptosystem and (P₁,P₂)is the private key thereof. According to the routine, the secret primenumbers "P₁ " and "P₂ " are selected at step 42 such that when themapped password Q is multiplied by four predetermined factors, ±1 modulo"M" and ±2 modulo "M," one and only one of the resulting values ±Q mod Mand ±2Q mod M is a quadratic residue modulo "M". The security of thepreferred digital signing routine is based primarily on the fact that isit extremely difficult to compute the square root of the quadraticresidue modulo "M" without knowing the factorization of M=P₁ ·P₂.

Referring back to FIG. 3, at step 44 the mapped password "Q" ismultiplied by each of the factors ±1 mod M and ±2 mod M. The routinecontinues at step 46, wherein each of the resulting values ±Q mod M and±2Q mod M are evaluated to locate the quadratic residue mod "M". Whenthis value is located, the routine computes the square root thereof atstep 48 to generate the digital signature.

Although not shown in detail, it should be appreciated that the privatekey may include any number of secret prime numbers (P₁,P₂,P₃, . . .P_(n)). Preferably, the secret prime numbers are selected according tothe routine shown in FIG. 3A. At step 35, an n-bit random number "x₁ "is generated. The number of bits "n" needs to be large enough (e.g., 250bits) such that it is difficult to factor "M". At step 37, x₁ isincremented to be congruent to a predetermined value, e.g., "3 mod 8".At step 39, a test is made to determine if x₁ is prime. If so, then theroutine continues at step 41 by setting x₁ =P₁. If x₁ is not prime, thenx₁ is incremented at step 43 (by setting x₁ =x₁ +8) and the routinereturns to step 39. Once P₁ is selected, the routine continues at step45 to generate another n-bit random number "x₂ ". At step 47, x₂ isincremented to be congruent with a second predetermined value, e.g., "7mod 8". At step 49, a test is made to determine if x₂ is prime. If so,then the routine continues at step 51 by setting x₂ =P₂. If x₂ is notprime, then x₂ is incremented at step 53 (by setting x₂ =x₂ +8) and theroutine returns to step 49. Once P₂ is selected, the public key "M" isset equal to P₁ ·P₂ at step 55.

It is also desirable to store P₁ and P₂ in the issuing terminalresponsible for computing signatures. Moreover, it is possible todistribute the private key (P₁,P₂) from one terminal to another withoutany person being able to discern the key by using another public-keycryptosystem pair (for which the private key is known only to thereceiving terminal). Moreover, while the digital signing routine of FIG.3 is preferred, other schemes, such as RSA, the Goldwasser, Micali &Rivest scheme and/or the Rabin scheme, may be use. Such schemes may alsorequire knowledge of the public key, although the routine of FIG. 3 doesnot. In any case, the process of generating the "signature" is fast ifthe private key is known but is prohibitively slow otherwise. Anyattempt to issue counterfeit cards is complicated further by the use ofa one-way function "F" to hash the password into the mapped password"Q". In this way, it becomes virtually impossible for a counterfeiter tomount a chosen-text attack on the card generation scheme even if thecounterfeiter could somehow obtain signatures for fake personal data.

Referring now to FIG. 4, a general flowchart diagram is shown of apreferred method for preventing unauthorized use of the personalidentification card 10 issued according to the routines of FIGS. 2-3. Atstep 50, the personal identification card is received at a transactionterminal. At step 52, the encoded password/signature is decoded togenerate a received password and a received signature. Preferably, themethod includes a step 54 wherein errors in the received password andreceived signature are corrected in accordance with well-knowntechniques. At step 56, the received password is mapped, with the samepredetermined function "F" used at the issuing terminal, to generate amapped password "Q_(R) " for the received personal identification card.

The routine then continues at step 58 to verify that the receivedsignature is "valid". In particular, the method digitally verifies,using the public key of the public-key cryptosystem pair, whether thereceived signature can be generated from the mapped password "Q_(R) ".If so, the method continues at step 60 to generate an indication thatthe received signature is valid. At step 62, a representation isgenerated from data in the received password. This representation willbe a picture if the original password stored on the card included adigitized photograph of the authorized cardholder. Of course, step 62can be performed in parallel with steps 58 and 60 so that the picture isimmediately displayed while the signature verification takes place.Referring back to FIG. 4, at step 64, the method displays either thepictorial representation or the indication, or both, on a display of thetransaction terminal. This display is then verified by an operator ofthe terminal at step 66 to insure that the cardholder is authorized toeffect a transaction.

It should be appreciated that the personal identification card generatedaccording to the method of FIG. 2 can be used in any situation requiringuser identification. For example, and not by way of limitation, theauthorized user can present the card to an authorized salesperson forcharging a purchase. The salesperson would enter the card into thetransaction terminal which is capable of reading the data from thecard's memory, verifying that the (digital) signature on the card isvalid, and displaying on the display screen information derived from thepassword. The salesperson an therefore be assured that the cardholder'sidentity is as claimed and proceed with the charge.

Referring now to FIG. 5, a detailed flowchart is shown of the preferreddigital verification routine of FIG. 3. At step 68, the routinemultiplies the mapped password "Q_(R) " from the received personalidentification card by each of the factors ±1 mod M and ±2 mod M. Themethod continues at step 70 by squaring modulo "M" the receivedsignature to generate a value "X". At step 72, a test is made todetermine whether "X" equals either ±Q_(R) mod M or ±2Q_(R) mod M. Ifso, the routine continues at step 74 to generate the indication that thereceived signature is valid. If "X" does not equal any one of these fourfactors, the signature is invalid and the transaction is inhibited.

Of course, the method and system of the present invention is easilyadaptable to a multi-issuer scenario where several parties desire toissue cards using different cryptosystem pairs, but where verifiers(i.e., operators of transaction terminals) need to authenticate a cardfrom any of the issuers. This can be accomplished by encoding the publickey used by each issuer into each transaction terminal and thenrequiring the operator thereof to enter into the terminal both theidentity of the issuer along with the card itself; alternatively, theidentity of the card issuer can be encoded on the card. This type ofsystem is shown in FIG. 6, wherein a plurality of issuing terminals 76a.. . 76n are provided for one or more independent issuers of authorizedpersonal identification cards. Each of the independent issuers isassigned or selects a distinctive public-key cryptosystem pair unknownto the other issuers. As noted above, the public key of each such pairis then encoded into each of the one or more transaction terminals 78a .. . 78n which are shared by all of the issuers.

The system of FIG. 6 is useful for passport control, nationalidentification cards, or multi-company credit cards, although suchapplications are not meant to be limiting. In operation of a passportsystem, for example, each country would have complete autonomy over thepersonal identification cards it issues, but a single transactionterminal would be used to authenticate the signature (which couldinclude a visa) of any country.

Although not described in detail, it can be appreciated by those skilledin the art that the method and system of the present invention can bereadily implemented with preexisting hardware and software. In thepreferred embodiment, and as shown in FIG. 6, each of the issuingterminals 76 includes a microcomputer 80 and associated memory devices82 for storing operating programs and application programs for carryingout the method steps of FIG. 2. Input/output devices, such as a keyboard84 and display 86, are provided for interfacing the terminal to the cardissuer. Of course, one or more of the method steps (e.g., the digitalsigning step, the mapping step and the encoding step) can be implementedin either gate array logic chips or software. Likewise, each of thetransaction terminals 78 preferably includes a microprocessor 88,associated memory 90, and appropriate input/output devices such ascardreader 92, keyboard 94 and display 96.

While the above discussion relates specifically to protection schemesfor personal identification cards, it should be appreciated that thepassword/signature security routines of the present invention may alsobe used where the personal data is transmitted over a communicationschannel as opposed to being stored on an identification card per se.Returning back to FIG. 6, this aspect of the invention is achieved byproviding a communications channel 100, e.g., a telephone link viamodems, between an issuing terminal 76b and a transaction terminal 78a.

In operation, the method steps of FIG. 2 would be the same as previouslydescribed except that step 40 is deleted and a step of transmitting theencoded password/signature over the communications channel 100 issubstituted therefor. Likewise, step 50 of the verification routine inFIG. 4 is deleted and is substituted with a step whereby the informationprovided over the communications channel 100 is received at thetransaction terminal and then processed according to the remainder ofthe steps in FIG. 4. In this way, the password/signature method is usedfor personal identification where the medium for supporting andtransmitting the password and the signature is the communicationschannel itself rather than the identification card.

Although the invention has been described and illustrated in detail, thesame is by way of example only and should not be taken by way oflimitation. The spirit and scope of the present invention are limitedonly by the terms of the appended claims.

I claim:
 1. A method for enabling an authorized user of a personalidentification card to effect a transaction using a transactionterminal, comprising the steps of:generating a first data string havinga portion thereof which is derived from a physical characteristic of theauthorized user and need not be retained secret; mapping the first datastring using a predetermined function F to generate a second data stringQ having a length substantially less than the length of the first datastring; digitally signing the second data string with a private key of apublic-key cryptosystem pair to generate a signature corresponding tothe second data string, the public-key cryptosystem pair also having apublic key M; encoding the first data string and the signature togenerate an encoded first data string/signature; storing the encodedfirst data string/signature on the personal identification card;receiving the personal identification card at the transaction terminal;decoding the encoded first data string/signature on the receivedpersonal identification card to generate the first data string and areceived signature; mapping the first data string with the predeterminedfunction F to generate the second data string; digitally verifying,using the public key M of the public-key cryptosystem pair, whether thereceived signature can be generated from the second data string; if thereceived signature can be generated from the second data string usingthe public key, generating an indication that the received signature isvalid; generating a representation from the first data string; anddisplaying the representation and the indication on a display of thetransaction terminal to enable an operator thereof to verify that theuser is authorized to effect a transaction using the personalidentification card.
 2. The method for enabling an authorized user of apersonal identification card to effect a transaction as described inclaim 1 wherein the first data string includes data representing apictorial representation of the physical characteristic of theauthorized user.
 3. The method for enabling an authorized user of apersonal identification card to effect a transaction as described inclaim 1 wherein the first data string includes data representing one ormore personal facts about the authorized user.
 4. The method forenabling an authorized user of a personal identification card to effecta transaction as described in claim 1 wherein the first data stringincludes one or more codewords, each of the codewords authorizing aspecific transaction.
 5. The method for enabling an authorized user of apersonal identification card to effect a transaction as described inclaim 1 wherein the first data string includes data representing apictorial representation of the physical characteristics of theauthorized user, data representing one or more personal facts about theauthorized user, and at least one codeword authorizing a specifictransaction using the personal identification card.
 6. The method forenabling an authorized user of a personal identification card to effecta transaction as described n claim 1 wherein the predetermined functionF is an identity function.
 7. The method for enabling an authorized userof a personal identification card to effect a transaction as describedin claim 1 wherein the predetermined function F is a hashing functionbased on a DES scheme.
 8. The method for enabling an authorized user ofa personal identification card to effect a transaction as described inclaim 1 wherein the encoding step includes the step of:encoding thefirst data string and the signature with an error-correcting code. 9.The method for enabling an authorized user of a personal identificationcard to effect a transaction as described in claim 1 wherein thedecoding step includes the step of:correcting errors in the first datastring and in the received signature decoded from the encoded first datastring/signature.
 10. The method for enabling an authorized user of apersonal identification card to effect a transaction as described inclaim 1 wherein the digital signing step includes the stepsof:multiplying the second data string by each of the factors ±1 mod Mand ±2 mod M; determining which of the four values ±Q mod M and ±2Q modM is a quadratic residue modulo M, where M equals a product of P₁multiplied by P₂ and P₁ and P₂ are secret prime numbers which arepreselected such that only one of the four values ±Q mod M and ±2Q mod Mis a quadratic residue modulo M; and computing the square root of thequadratic residue to generate the signature.
 11. The method for enablingan authorized user of a personal identification card to effect atransaction as described in claim 10 wherein the digitally verifyingstep includes the steps of:multiplying the second data string by each ofthe factors ±1 mod M and ±2 mod M; squaring modulo the receivedsignature to generate a value X; determining whether X equals either ±Qmod M or ±2Q mod M; and if X equals either ±Q mod M or ±2Q mod M,generating the indication that the received signature is valid.
 12. Amethod for issuing a personal identification card for an authorized userof the personal identification card, comprising the steps of:generatinga pictorial representation of a physical characteristic of theauthorized user; processing the pictorial representation to generate afirst data string; mapping the first data string with a predeterminedone-way function to generate a second data string Q having a lengthsubstantially less than the length of the first data string; digitallysigning the second data string Q with a private key of a firstpublic-key cryptosystem pair to generate a first signature, where P₁ andP₂ are secret prime numbers and the first public-key cryptosystem pairalso includes a public key M which is equal to a product of P₁multiplied by P₂ ; encoding the first data string and the firstsignature with an error-correcting code to generate an encoded firstdata string/signature; and storing the encoded first datastring/signature on the personal identification card.
 13. The method forissuing a personal identification card as described in claim 12 furtherincluding the steps of:digitally signing the second data string with aprivate key of a second public-key cryptosystem pair to generate asecond signature; and encoding the second signature along with the firstdata string and the first signature.
 14. The method for issuing apersonal identification card as described in claim 12 further includingthe step of:augmenting the first data string to include datarepresenting one or more personal facts about the authorized user. 15.The method for issuing a personal identification card as described inclaim 12 further including the step of:augmenting the first data stringto include one or more codewords, each of said codewords authorizing aspecific transaction using the personal identification card.
 16. Themethod for issuing a personal identification card as described in claim15 wherein the personal identification card is a passport and each ofthe cryptosystem pairs corresponds to a different country.
 17. Themethod for issuing a personal identification card as described in claim12 wherein the digital signing step includes the steps of:multiplyingthe second data string by each of the predetermined factors ±1 mod M and±2mod M; determining which of the values ±Q mod M and ±2Q mod M is aquadratic residue modulo M, where the secret prime numbers P₁ and P₂ arepreselected such that only one of the four values ±Q mod M and ±2Q mod Mis a quadratic residue modulo M; and computing the square root of thequadratic residue modulo M to generate the first signature.
 18. Themethod for issuing a personal identification card as described in claim12 further including the step of:encrypting the first data string with apredetermined function prior to the mapping step.
 19. A system forissuing authorized personal identification cards and for preventingunauthorized use thereof, comprising:issuing terminal means for issuinga plurality of personal identification cards, each of said cards havingstored therein a first data string with a portion thereof derived from aphysical characteristic of an authorized user of the card, each of saidcards also having stored therein a signature derived from a second datastring using a private key of a public-key cryptosystem pair, thepublic-key cryptosystem pair also having a public key, the second datastring being derived from the first data string using a predeterminedone-way function and having a length substantially less than the lengthof the first data string; and transaction terminal means including atleast one transaction terminal for receiving a personal identificationcard offered to effect a transaction using the transaction terminal, thepersonal identification card having the first data string and a receivedsignature stored therein, wherein the transaction terminal comprisesmeans, using the public key of the public-key cryptosystem pair, forverifying that the received signature can be generated from the firstdata string, means responsive to the verifying means for generating arepresentation from the first data string, and means for displaying therepresentation and an indication of whether the received signature canbe generated from the first data string to enable an operator of thetransaction terminal to verify that the user of the offered personalidentification card is authorized to effect a transaction.
 20. Thesystem as described in claim 19 wherein the issuing terminal meansincludes at least one issuing terminal for one or more independentissuers of authorized personal identification cards, each of theindependent issuers having a distinctive public-key cryptosystem pairunknown to the other issuers.
 21. A system for allowing authorizingusers of personal identification cards to effect transactions via atleast one transaction terminal comprising a plurality of said cards eachhaving stored therein a signature which is the digital signature of asecond data string, the second data string being derived from a firstdata string derived from a physical characteristic associated with arespective user, the second data string derived from the first datastring using a predetermined one-way function and having a lengthsubstantially less than the length of the first data string, thesignature stored in each of said cards having been derived with the sameprivate key of a public-key cryptosystem pair also having a public key;and at least one transaction terminal having means for controlling (1)the retrieval of the first data string and the signature stored in theinserted card, (2) the digital verification of the signature with theuse of the public key of the public-key cryptosystem pair, (3) thegeneration of a pictorial representation from the first data string, and(4) the effecting of a transaction only if the signature is verified andthe pictorial representation matches the user.
 22. A terminal forinitializing personal identification cards, to be used with at least onetransaction terminal, each card having a memory therein, comprisingmeans for assigning a first data string having a portion thereof whichis derived from a physical characteristic of a user whose card is to beinitialized, means for mapping the first data string with apredetermined one-way function to generate a second data string having alength substantially less than the length of the first data string,means for deriving a digital signature from the second data string, thesignature for each user being derived with use of a private key of apublic-key cryptosystem pair also having a public key, and means forcontrolling the storing in a user card of the respective derived digitalsignature.
 23. A personal identification card, for use in effectingtransactions via at least one transaction terminal, comprising a bodyportion, a memory within said body portion for storing a signature, saidsignature being the digital signature of a second data string derivedfrom a first data string having at least a portion thereof being derivedfrom a physical characteristic of a respective card user, the seconddata string being derived from the first data string using apredetermined one-way function and having a length substantially lessthan the length of the first data string, wherein said signature isderived from the second data string with the private key of a public-keycryptosystem pair.
 24. A method for personal identification, comprisingthe steps of:generating a first data string having a portion thereofwhich is derived from a physical characteristic of a user and need notbe retained secret; mapping the first data string using a predeterminedfunction to generate a second data string; digitally signing the seconddata string with a private key of a public-key cryptosystem pair togenerate a signature corresponding to the second data string, thepublic-key cryptosystem pair also including a public key; encoding thefirst data string and the signature to generate an encoded first datastring/signature; transmitting the encoded first data string/signatureover a communications channel; receiving the encoded first datastring/signature at a transaction terminal; decoding the receivedencoded first data string/signature to generate the first data stringand a received signature; mapping the first data string with thepredetermined function to generate the second data string; digitallyverifying, using the public key of the public-key cryptosystem pair,whether the received signature can be generated from the second datastring; if the received signature can be generated from the second datastring using the public key, generating an indication that the receivedsignature is valid; generating a representation from the first datastring; and displaying the representation and the indication on adisplay of the transaction terminal to enable an operator thereof toverify that the user is authorized to effect a transaction.
 25. A methodfor enabling an authorized user of a personal identification card toeffect a transaction using a transaction terminal, comprising the stepsof:generating a first data string having a portion thereof which isderived from a physical characteristic of the authorized user and neednot be retained secret; digitally signing the first data string with aprivate key of a public-key cryptosystem pair to generate a signaturecorresponding to the first data string, the public-key cryptosystem pairalso having a public key M; storing the first data string and thesignature on the personal identification card; receiving the personalidentification card at the transaction terminal; digitally verifying,using the public key M of the public-key cryptosystem pair, whether thesignature on the personal identification card received at thetransaction terminal can be generated from the first data string; if thesignature can be generated from the first data string using the publickey, generating an indication that the signature is valid; generating arepresentation from the first data string; and displaying therepresentation and the indication on a display of the transactionterminal to enable an operator thereof to verify that the user isauthorized to effect a transaction using the personal identificationcard.
 26. A method for enabling an authorized user of a personalidentification card to effect a transaction using a transactionterminal, the personal identification card having stored therein a firstdata string having a portion thereof which is derived from a physicalcharacteristic of the authorized user and need not be retained secret,and a signature of the first data string derived from a private key of apublic-key cryptosystem pair, the public-key cryptosystem pair alsohaving a public key M, comprising the steps of:receiving the personalidentification card at the transaction terminal; digitally verifying,using the public key M of the public-key cryptosystem pair, whether thesignature on the personal identification card received at thetransaction terminal an be generated from the first data string; if thesignature can be generated from the first data string using the publickey, generating an indication that the signature is valid; generating arepresentation from the first data string; and displaying therepresentation and the indication on a display of the transactionterminal to enable an operator thereof to verify that the user isauthorized to effect a transaction using the personal identificationcard.